TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress

2024-02-21 · Read original ↗

ATT&CK techniques detected

4 predictions
T1505.004IIS Components
78%
“the root of c : \ program files ( x86 ) \ screenconnect \ app _ extensions \ are likely malicious artifacts. screenconnect does not place any files within this directory normally. detection guidance while researching the above vulnerabilities, huntress identified indicators of co…”
T1190Exploit Public-Facing Application
59%
“connectwise screenconnect cve - 2024 - 1709 & cve - 2024 - 1708 | huntress on february 19, 2024, connectwise published a security advisory for screenconnect version 23. 9. 8, referencing two vulnerabilities and software weaknesses. the same day, huntress researchers worked to und…”
T1204.002Malicious File
42%
“the code base, we can see these utility functions only seem to be used when handling screenconnect extensions. prior to this patch, a malicious extension could potentially write files anywhere within c : \ program files ( x86 ) \ screenconnect \ app _ extensions instead of being …”
T1190Exploit Public-Facing Application
32%
“is a video demonstration of our recreated proof - of - concept exploit, which performs the simple authentication bypass but takes it a step further to showcase remote code execution. our analysis when the huntress team was made aware of the connectwise advisory, our team began to…”

Summary

This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.